Presentation is loading. Please wait.

Presentation is loading. Please wait.

ORACLE DATABASE SECURITY

Published byFlora Austin Modified over 8 years ago

Similar presentations

Presentation on theme: "ORACLE DATABASE SECURITY"— Presentation transcript:

1 ORACLE DATABASE SECURITY

2 Oracle Database Security Defense-in-Depth
4/19/2017 Oracle Database Security Defense-in-Depth Encryption and Masking Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Access Control Oracle Database Vault Oracle Label Security Auditing and Monitoring Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Oracle Total Recall is available in 11g Blocking and Logging Oracle Database Firewall Oracle Confidential 2

3 Oracle Database 10g: Performance Tuning 1-3
Agenda Oracle DB Security Protecting Data Encrypt stored data Mask data that is not used for production Controlling data access Implementing the Virtual Private Database (VPD) Using Oracle Label Security (OLS) TDE Summary Oracle Database 10g: Performance Tuning 1-3

4 Oracle Database 10g: Performance Tuning 1-4
Agenda Oracle DB Security Protecting Data Encrypt stored data Mask data that is not used for production Controlling data access Implementing the Virtual Private Database (VPD) Using Oracle Label Security (OLS) TDE Summary Oracle Database 10g: Performance Tuning 1-4

5 Data Masking What is data masking? Data masking is the process of replacing sensitive information with realistic data based on masking rules. Why use data masking? Use data masking so that data can be shared with nonproduction users such as testing companies.

6 Data Masking EMPLOYEE_ID LAST_NAME DEPARTMENT_ID PHONE_NUMBER
100 King 90 105 Austin 60 110 Chen EMPLOYEE_ID LAST_NAME DEPARTMENT_ID PHONE_NUMBER 468 Jefferies 90 975 Smith 60 396 Allen 100

7 Data Masking: Features
Uses an irreversible process to replace the sensitive database based on masking rules Ensures that the original data cannot be retrieved, recovered, or restored Enables you to define a central definition for common data masking formats to be used with all databases

8 Implementing Data Masking
Security admin Identify sensitive information Create data mask formats Create masking definitions App DBA Clone production to staging Create masking definitions Execute masking job Clone staging to test DBA Production Staging Test

9 Data Masking

10 Oracle Database 10g: Performance Tuning 1-10
Agenda Oracle DB Security Protecting Data Encrypt stored data Mask data that is not used for production TDE Controlling data access Implementing the Virtual Private Database (VPD) Using Oracle Label Security (OLS) Summary Oracle Database 10g: Performance Tuning 1-10

11 Discretionary Access Control
GRANT SELECT ON emp TO JOE; Joe REVOKE SELECT ON emp FROM FRED; Fred How to secure row or column level?

12 Oracle VPD A Virtual Private Database (VPD) combines an application context and FGAC Fine-grained access control: associate security policies to database objects Application Context: define and access application or session attributes Enforce business rules to limit row access Use a secure application context to provide high-performance resolution of user attributes

13 Why VPD? Scalability Simplicity Security
Table Customers contains 1,000 customer records. Suppose we want customers to access their own records only. Using views, we need to create 1,000 views. Using VPD, it can be done with a single policy function. Simplicity Say, we have a table T and many views are based on T. Suppose we want to restrict access to some information in T. Without VPD, all view definitions have to be changed. Using VPD, it can be done by attaching a policy function to T; as the policy is enforced in T, the policy is also enforced for all the views that are based on T. Security Server-enforced security (as opposed to application-enforced). Cannot be bypassed. (There are two exceptional cases, though.)

14 How Fine-Grained Access Control Works
The user accesses a table or view with a policy. The data server calls the policy function. The policy function returns a predicate. The data server adds the predicate to the statement. The data server executes the modified statement. SELECT * FROM orders; SELECT * FROM orders WHERE customer_id = sys_context ('oeapp','cust_id'); becomes

15 Application Context Application contexts act as secure caches of data that may be used by a fine-grained access control policy. Upon logging into the database, Oracle sets up an application context in the user’s section. You can define, set and access application attributes that you can use as a secure data cache. There is a pre-defined application context, “userenv”.

16 Application Context One can create a customized application context and attributes. Say, each employee can access a portion of the Customers table, based on the job-position. For example, a clerk can access only the records of the customers who lives in a region assigned to him. But a manager can access any record. Suppose that the job-positions of employees are stored in a LDAP server (or in the Employee table). Such information can be accessed and cached in an application context when an employee logs in.

17 VPD: Example Demo

18 Oracle Database 10g: Performance Tuning 1-18
Agenda Protecting Data Encrypt stored data Mask data that is not used for production TDE Controlling data access Implementing the Virtual Private Database (VPD) Using Oracle Label Security (OLS) Summary Oracle Database 10g: Performance Tuning 1-18

19 GRANT SELECT ON emp TO JOE; REVOKE SELECT ON emp FROM FRED;
Oracle Label Security Discretionary Access Control GRANT SELECT ON emp TO JOE; Joe REVOKE SELECT ON emp FROM FRED; Fred

20 Select object privilege granted? dominates data row label?
Oracle Label Security SQL request Select object privilege granted? Discretionary access control Confidential User clearance dominates data row label? OLS access mediation Location Storage OLS Label Nevada Conventional Sensitive Montana Nuclear Highly Sens. Colorado Medical Confidential X X The objects in the database can have rows that are labeled Access to rows is restricted on the basis of Oracle Label Security authorizations.

21 How Sensitivity Labels Are Used
Users Top Secret Access mediation Authorizations Labels Data Data sensitivity Secret

22 Oracle Label Security Demo

23 Oracle Database 10g: Performance Tuning 1-23
Thank you ! Oracle Database 10g: Performance Tuning 1-23

Download ppt "ORACLE DATABASE SECURITY"

Similar presentations

Implementing Fine Grained Access Control and Masking

Implementing Fine Grained Access Control and Masking
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.

Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,

1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Database Vault Marco Alamanni

Database Vault Marco Alamanni
Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,

Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,
Vormetric Data Security

Vormetric Data Security
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Database Management System

Database Management System
Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.

یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models

Similar presentations

Ads by Google